To use Cyware you must have cookies enabled. By Registering or Signing in, you agree to our Terms and Privacy Policy. You can also signup using Google Account. We will not use your credentials to import contacts or post anything on your account without your permission.For more info, please see Login FAQ.

The iframe elements in the website could be exploited by attackers to determine who the users chat with.

It seems that security and privacy woes continue to trouble Facebook. In a recent incident, Ron Masas, a security researcher at Imperva discovered a security bug in the platform’s messaging website Messenger.

This flaw was found in the application’s desktop website. Attackers could insert malicious links which upon clicking, would allow them to see users’ conversations.

The big picture

Ron Masas noticed that the web application of Messenger used iframe elements to power the user interface. He found that these iframes could be used to get information about the ‘states’ which can give clues about the users' conversations in Messenger.

The number of iframes changed every time a user contacted another user through Messenger.

Due to this reason, attackers could trick users into clicking malicious webpages where they would distract the users while they execute the exploit in the background tab of Messenger.

To execute the exploit, the attacker would reload Messenger in the background and count the number of iframes in the page which tells us whether they have been chatting with specific users.

Thus, attackers can perform a Cross-Site Frame Leakage attack which is a type of side-channel attack on the end user's browser. However, attackers cannot expose the complete content of the conversation.

The issue with iframes - The number of iframes loaded in the page gives information about the state of the webpage.

As per the researcher's blog, "When the current user has not been in contact with a specific user, the iframe count would reach three and then always drop suddenly for a few milliseconds. This lets an attacker reliably distinguish between the full and empty states. This could let him remotely check if the current user has chatted with a specific person or business, which would violate those users’ privacy."

Thus, the researcher was able to leak the state of the cross-origin window by analyzing the raw pattern of iframe count over time or by timing certain “milestones” of the pattern.

What actions were taken?

When the researcher reached out to Facebook regarding the security issue, they tried randomizing the number of iframes on the page. However, the researcher could still adapt his algorithm to leak the state. FInally, Facebook removed all the iframe elements present in the user interface of Messenger to get rid of the issue.

The researcher also emphasized the need to focus on the threat of such browser-based attacks which are often neglected in many websites.

Ryan Stewart

Ryan is a senior cybersecurity and privacy analyst. He keenly follows the innovation and development in cybersecurity technologies, and loves to educate everyone about the what, why, and how of major incidents in the cybersecurity world.

Who we are

Cyware is a first-of-its-kind, comprehensive cyber situational awareness platform, designed to help you stay informed about the latest happenings in the cyber world with expertly curated news stories and updates.

Our Technology

Let IBM's Watson Find the Right News For You

The cyber threat landscape is changing rapidly, and cybersecurity news has claimed its spot on the front pages in recent months. It's not easy to find the right information from tens of thousands of cyber news articles and feeds published every day. Our machine learning based curation engine brings you the most relevant cyber content based on your needs.

Receive Daily Cyber News in Your Inbox

From the latest cyber security trends and innovations to new malware, vulnerabilities and threat intelligence, we bring you the most up-to date and relevant cyber updates and news alerts.